Avoid logging `Session cookie encryptor error: ...` by default?

Open dentarg opened this issue 2 years ago • 0 comments

Does it makes sense to be able to silence this logging or make it opt-in?

https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/cookie.rb#L223-L224

Maybe behind $VERBOSE as done here?

https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/abstract/id.rb#L397

Looks like it can log the following variants of Session cookie encryptor error: <message>

wrong version
Message is invalid
invalid message
HMAC is invalid

I'm not sure they're useful to always have enabled (in production) as any user can trigger at least Session cookie encryptor error: Message is invalid by sending bogus data in the Cookie header.

Jan 10 '24 11:01 dentarg